We use cookies and other similar technology to collect data to improve your experience on our site, as described in our Privacy Policy.

AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure HAProxy Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provision, Upgrade, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure HAProxy Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeDB KubeDB
github-icon twitterx-icon
TRY NOW FREE
You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeDB? Please start here.

Search Guard

Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports fine grained role-based access control to clusters, indices, documents and fields.

  • Search Guard authenticates the credentials against the configured authentication backend(s).
  • Search Guard authorizes the user by retrieving a list of the user’s roles from the configured authorization backend

TLS certificates

Search Guard relies heavily on the use of TLS, both for the REST and the transport layer of Elasticsearch. TLS is configured in the elasticsearch.yml file of Elasticsearch installation.

Following keys are used to configure location of keystore and truststore files.

Transport layer TLS

Name Description
searchguard.ssl.transport.keystore_filepath Path to the keystore file, relative to the config/ directory (mandatory)
searchguard.ssl.transport.keystore_password Keystore password
searchguard.ssl.transport.truststore_filepath Path to the truststore file, relative to the config/ directory (mandatory)
searchguard.ssl.transport.truststore_password Truststore password

REST layer TLS

Name Description
searchguard.ssl.http.enabled Whether to enable TLS on the REST layer or not
searchguard.ssl.http.keystore_filepath Path to the keystore file, relative to the config/ directory (mandatory)
searchguard.ssl.http.keystore_password Keystore password
searchguard.ssl.http.truststore_filepath Path to the truststore file, relative to the config/ directory (mandatory)
searchguard.ssl.http.truststore_password Truststore password

Note: KubeDB Elasticsearch is configured with keystore and truststore files in JKS format

Configuring Admin certificates

Admin certificates are regular client certificates that have elevated rights to perform administrative tasks. You need an admin certificate to change the Search Guard configuration via the sgadmin command line tool. Admin certificates are configured in elasticsearch.yml by simply stating their DN(s).

searchguard.authcz.admin_dn:
  - CN=sgadmin, O=Elasticsearch Operator

Client authentication

With TLS client authentication enabled, REST clients can send a TLS certificate with the HTTP request to provide identity information to Search Guard.

  • You can provide an admin certificate when using the REST API.
  • You can provide Basic Auth with client certificates.

Note: Search Guard accepts TLS client certificates if they are sent, but does not enforce them.

Next Steps

What's on this Page

Search
Improve This Page